Slashdot Mirror
Flaw Finders Lay Seige to Microsoft Office
An anonymous reader writes "The Register is reporting that bug reports on the latest iteration of Microsoft Office are certainly keeping the Redmond firm's programmers busy. So far this year 24 flaws have been found by outside researchers, more than six times the number found in all of 2005. From the article: 'The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'"
I guess it sucks if your business requires some esoteric feature in Microsoft's expensive and proprietary office software, but it is outright incompetence for any CTO to not have migrated, in the process of migrating, or planning on migrating their workers to OpenOffice at this point.
Personally, I use OpenOffice, but from what I hear it's not that easy to use OpenOffice for many corporations. Some people I know are in the process of building a tech company, and they wanted to use OpenOffice, both because of the cost and because of the security. But some testing revealed that a single feature made that impossible for them: 'track changes' worked fine in OO, but opening a document from Office with change tracking never succeeded 100%. Apparently they plan to collaborate on documents with people outside their organization, so that's a problem. Sadly it looks like they will be buying Office licenses soon.
OpenOffice is great for a home user, but 'enterprise-oriented' features like tracking changes with people using Office are a must for some corporations. Until OpenOffice gets this sort of stuff to work, I can't completely agree with the quote above.
Although, given the security risk for Office users - which we can't even evaluate, as I'm assuming most corporate espionage is never discovered - it might be rational to find a way to live without some of the features in Office. Or, alternatively, to run Office on Crossover Office on Linux (assuming some of the trojan functionality, e.g. calling home, depends on ties with the underlying OS, which makes sense to me).
If the business case for switching to OO were that clearcut, you think MS Office would still be around?
Yes. Absolutely. "Nobody ever got fired for recommending Microsoft Office."
I know several business where 90% of the users don't need much more than WordPad who are running MS Office Pro. They only use spreadsheets at all because the "table" layout makes doing certain types of form easier -- they have timesheets, expense sheets, etc that don't even use calculations. They don't use powerpoint or access or even outlook. (they on a corporate webmail)
They DO NOT need a several hundred licenses of MS Office.
But the IT director authorizes Office Pro on every new desktop. There is no business case for it. When I suggested they cut costs and standardise on OO on at least the machines that are being used by low level staff to fill out their time sheet and read office memos I just get a blank stare.
They've never heard of it, don't beleive that it could possibly meet their needs (which they've clearly never actually assessed), and they have ZERO intention of even looking into it. Worse they've been gradually growing, and new machines come with new office the old machines have "old office".. so they are supporting users with every version office since 95.
Its sad.
FWIW I *have* converted a couple companies to OO, and the most recent was done as part of a general upgrade. We pulled out boxes with Win98 and Office 98 and dropped in new XP Pro boxes with OO. We set the defaults to use office formats so there would be minimal transition issues. Most staff aren't even really aware they aren't using Microsoft Office anymore -- which is unfortunate really, because its not doing OO much good if people don't even know they are using it.
I've also recommended OO to a many Home users. For the most part they are happy with it, and it works well enough that they actually prefer the "legality" of it even if its not 100% what they are used to.
I would not worry - if OpenOffice gets more popular it will get its share of abuse and fixes too.
Having said that - part of MS problem is systematic: its closed (as oposed to open) design nature is slowing down debugging and more importantly its close relationship with OS is proving fatal to security. OO does not have that.
Absolutely. As soon as OO implements a large enough subset of Office features, I'll be all over that.
Until then, as long as there's a need to embed documents, to use a powerful macro language that communicates with the OS and other software, to have data update in real time, to interop with business logic that depends on DDE or XLLs, or to do any of the million other essential things that Excel (in particular) does and OO does not, it's "Hello, Clippy!"
Actually, though, I do have some questions for those who might take a more optimistic view than me:
1 -- maths formulae created in OO don't seem to work in Word. Is that OO's fault or Word's?
2 -- Bloomberg's DDE system seems not to work with OO (not that it's particularly efficient in Excel either). Is that OO's fault or Bloomberg's?
Whence? Hence. Whither? Thither.
It seems amazing to me that there are so many very critical flaws in Microsoft products. If someone else can find the flaws, why didn't Microsoft?
I've heard that Microsoft is managed in such a way that programmers don't have time to finish their work. I know that Microsoft makes more money if there are more flaws, because users can be expected to upgrade.
However, it seems that there are too many bugs for that to be the whole explanation.
So, why, year after year, has Microsoft been at the top of the vulnerabilities list? I don't accept the argument that "software is complex, and always has bugs. There are people who know how to write complex software that is secure. Microsoft could certainly hire such people. If the company wanted to have software that was relatively free of vulnerabilities, it could.
The argument that Microsoft vulnerabilities get more attention doesn't seem adequate to me to explain the huge number of very severe bugs.
But, what is the explanation?